Migrating from a Stand-alone to an Enterprise CA

Updated: August 13, 2009

Applies To: Windows Server 2003 with SP1

Despite the best planning intentions, it may be necessary to change the configuration of a Windows-based certification authority from a stand-alone mode to an enterprise mode. It may also be necessary to change the configuration of a CA that was first installed as an NT 4.0 certification authority that was included in the NT 4.0 Option Pack. For example, an NT 4.0 CA may be upgraded in place to a stand-alone CA and later converted to an enterprise CA to work with Exchange 2000. For NT 4.0 upgrade procedures, see the help files in Windows 2000 or Windows Server 2003. This section provides a walkthrough of the steps required to convert a Windows Server 2003 stand-alone CA to an enterprise CA.

Note

It is not possible to convert a root CA to a subordinate CA, or vice versa.

The first step in migrating the CA is backing up the existing key pairs used by the CA and its database. To backup the CA keys and database, right-click the CA node in the MMC and choose Back up CA under All Tasks.

Next, you must back up the certificate database, the CA certificate, and the CA private key. Select Private key and CA certificate and Certificate database and certificate database log, then choose the appropriate path for the backup files.

Note

The backup path should not contain old backup files. Use the command-line tool Certutil.exe if you want to overwrite old backup files.

Enter a strong password. This password is used to protect the CA's private key.

Important

Do not lose this password or you will not be able to restore the keys on the new CA.

Review the summary, and click Finish to complete the backup.

You have now successfully backed up the CA keys and database. Next, you should remove the stand-alone CA from the server by uninstalling it. Uninstall the CA by removing the Certificate Services from the Windows Components.

Join the computer to a domain in the forest if it is not already joined to one.

Best Practice The recommended best practice is to install CAs as a member of the root domain in the forest to provide centralized administration and control of the PKI services. For additional best practices, see the Windows Server 2003 Resource Kit.

Reinstall the CA by adding the Certificate Services to the Windows Components.

Select Enterprise root CA as the CA Type, and select custom settings for the key generation.

Note

You must be an Enterprise Admin to install an Enterprise CA.

Choose the CSP that has access to the old CA keys, and choose the same keys and certificate used with the old CA.

Note

If your CA has multiple keys, choose the original key used by the old CA. This can be determined by the number appended to the key where no number means oldest.

Select Preserve existing certificate database to use the old database. This enables the new Enterprise CA to keep track of any pending requests to the old stand-alone CA, as well as any certificates issued or revoked by it.

When prompted for stopping the IIS service, click Yes to finish the installation of the CA.